“ENSURING COMPLIANCE WITH DATA PROTECTION PRINCIPLES

FROM A PRACTICAL PERSPECTIVE”PRESENTED BY:- Mrs Drudeisha C-MadhubData Protection CommissionerDefence and Home Affairs DepartmentPrime Minister’s OfficeTel:- 201 36 04Email:-pmo-dpo@mail.gov.muWebsite:- http://dataprotection.gov.mu

04/21/23 1

DATA PROTECTION OFFICE (pmo)• Privacy is a complex and elusive concept but is

generally recognised as the ‘right to be left alone’. It lies at the heart of any trust relationship involving an individual with another individual or an organisation. Whenever this relationship is abused, significant harm may be caused to the reputation of the individual and the organisation.

• Information privacy, one of the limbs of privacy, is in fact, known today as data protection.

• Many organisations have reduced data protection to a compliance –driven approach only or sees it from an information security perspective only, which is not the correct approach.

04/21/23 2

DATA PROTECTION OFFICE (pmo)• This compliance-driven focus may result to

uncontrolled or unforeseen data loss incidents.• Organisations should consider data protection in a

broader context such as assessing information risks from an individual’s perspective, by adopting transparency and data minimisation principles, by exploiting opportunities for differentiation through enhanced privacy practices; ensuring that privacy needs influence their identity management agenda (since identity technologies are a prerequisite to deliver effective privacy approaches).

04/21/23 3

DATA PROTECTION OFFICE (pmo)• Privacy is intimately entwined with identity.

Organisations use identity technologies to collect information from an individual. Good collection will obviously deliver greater anonymity and privacy whilst poor collection may expose the individual to privacy infringements.

• Individuals should have control over their personal data. This is the message that this office wants to convey as the guiding principle for organisations in order to adopt the right approach to data protection.

04/21/23 4

DATA PROTECTION OFFICE (pmo)• It is now trite law to observe that data has become the

lifeblood of modern economies. However, it is difficult and at times probably impossible to truly grasp the true features and sizes of the different compartments of this fast and ever-expanding locomotive.

• The exponential growth of data creation, transmission, use and storage, by an ever-growing tentacular panoply of actors, sometimes in or out of the opaque cloud, has led to the enactment of the Data Protection Act as most of this data is personally-identifiable and most of this data is controlled by someone other than the individual himself.

04/21/23 5

DATA PROTECTION OFFICE (pmo)• Globalisation and new technologies are fundamentally

changing the ways how companies communicate and market to customers.

• They have changed both the opportunities and risks for individuals and organisations. Many of these technologies , including Web 2.0, user-generated content, and social media are straining traditional frameworks.

• The collection of data has become more ubiquitous; data mining, analytics, and behavioral targetting are becoming more and more common and complex.

04/21/23 6

DATA PROTECTION OFFICE (pmo) Today, we enjoy unprecedented new services and

benefits. However, we are also reaping unprecedented privacy threats and harms.

Some pessimists say privacy is a dead concept in the information age. I say that it is not, in fact it has just taken a new technological quagmire shape which requires some decryptive techniques, namely through the holistic and practical principles of the DPA.

The need for organisational accountability has thus become more urgent than ever before.

04/21/23 7

DATA PROTECTION OFFICE (pmo) The proposition that “privacy is good for business”

is enshrined in all the data protection principles contained in the First Schedule of the DPA.

These universal principles of data protection seek to ensure the privacy of individuals and the promotion of the free flow of data and the growth of commerce.

The founding principles of data protection are: to limit collection, use and disclosure of personal data, to involve individuals in the data life-cycle, and to apply appropriate safeguards in a thorough manner.

04/21/23 8

DATA PROTECTION OFFICE (pmo) These requirements are premised upon

organisational transparency and accountability. The ultimate results include enhanced trust, improved efficiencies , greater innovation, and a heightened competitive advantage .

The persevering confidence of individuals, business partners and regulators in organisations’ data-handling practices is thus of prime importance for a healthy business.

04/21/23 9

DATA PROTECTION OFFICE (pmo) For an organisation to demonstrate its willingness to

meet expectations based on legal criteria and organisational promises, it must digest all aspects of data protection and information security .

This is reflected in the essential elements of accountability:-

Its commitment to accountability and adoption of internal policies consistent with data protection laws;

Mechanisms to put privacy policies into effect, including privacy-enhancing tools. training , and education;

04/21/23 10

DATA PROTECTION OFFICE (pmo)Systems for internal ongoing oversight and assurance

reviews and external verification;Transparency and mechanisms for individual

participation;The means for remediation and external enforcement. To be an accountable organisation, a company must

have rules based on an external measuring regulatory stick such as the Data Protection Act, industry self regulatory guidance such as codes of practice and/or guidelines issued or approved by the Data Protection Commissioner including international guidance such as

04/21/23 11

DATA PROTECTION OFFICE (pmo) the EU Directives on Data Protection and the OECD

Guidelines or the APEC Principles. These policies must then be committed to by the organisation at the highest level.

The organisation must have in place all these pieces of the puzzle in place to ensure that the employees and vendors for instance, may successfully implement its policies and commitment on data protection.

Fair information practice principles based on data protection law must be built into the core functionality of all systems’ processes from technology development to the physical structure of facilities.

04/21/23 12

DATA PROTECTION OFFICE (pmo) In order to successfully embed data protection

principles in organisational processes, seven foundational principles are to be adopted:-

Proactive and not reactive, i.e “prevention is better than cure”;

Accountability;Data Protection Principles embedded into

technological design;Complete functionality- “Positive-Sum, not zero-sum”,

Clear privacy rules create confident organisations which do not suffer from reticence risk and create economic advantage whilst protecting privacy.

04/21/23 13

DATA PROTECTION OFFICE (pmo)

Complete lifecycle protection; Privacy must be built into every process from the assessment before data is collected to the oversight when data is retired or decommissioned.

Visibility and Transparency; Respect for User Privacy. There are virtually infinite ways by which organisations

can creatively “build privacy in“ to their operations and products , to earn confidence and trust of customers, business partners and oversight bodies alike and to be leaders in the global marketplace.

04/21/23 14

DATA PROTECTION OFFICE (pmo) For instance, Hewlett Packard has developed an

‘accountability model tool’ which combines the HP Privacy Rulebook with a set of contextual, dynamically-generated questionnaire to be filled by employees and teams to be aware of what privacy considerations need to be considered before implementing their relevant tasks, in order to educate them on data protection.

Organisations are encouraged to develop practical standards on data protection, inspiring themselves from the guidelines Vol. 1 developed by the Commissioner posted on the website.

04/21/23 15

DATA PROTECTION OFFICE (pmo) They are further encouraged to implement high-

level privacy management policies that will call for:-Incorporating privacy-impact assessments (PIAs)

throughout the systems lifecycle from business case to decommissioning;

Submitting these assessments for verification to the DPO;

Promoting greater transparency by publishing these PIAs;

Managing privacy-related risks. 04/21/23 16

DATA PROTECTION OFFICE (pmo)About privacy-enhancing technologies (PETs): -

There is no widely accepted definition for PETs. However, a PET may be described as something that :-

Reduces or eliminates the risk of contravening data protection principles;

Minimises the amount of personal data held;Empowers individuals to retain control over

their personal data at all times.

04/21/23 17

DATA PROTECTION OFFICE (pmo) Today, there is a general understanding that PETs

are consistent with good design objectives for any system that handles personal data and can offer demonstrable benefits and competitive advantages for business and organisations to adopt them.

However, PETs should not be forced into systems or technologies that are privacy-invasive as this would not achieve the desired effect.

In the same way that there is no definition for PETs, there is no recognised means of classification for PETs.

04/21/23 18

DATA PROTECTION OFFICE (pmo) However, they may be categorised, according to

their main functions, as either privacy management or protection tools.

Privacy Management Tools:- They enable the user to understand the

consequences of the processing of the personal information. There are a number of tools today that cater for the enterprise or the end-user market, for example, P3P and IBM secure perspective software.

04/21/23 19

DATA PROTECTION OFFICE (pmo) Privacy Metadata:-

Attaching standard tags to our personal information detailing the sources of information, the consent obtained, how it is intended to be used and the policies to which the information will be subjected to, including the length of time the information is retained and whether user consent is obtained prior to passing that information to third parties.

04/21/23 20

DATA PROTECTION OFFICE (pmo) Privacy Protection Tools:-

They aim to hide the user’s identity, minimise the personal data revealed and camouflage network connections, for example, the originating IP address is not revealed.

They may also authenticate transactions such as payments whilst making it impossible to trace a connection back to the user, for instance:-

Anonymising tools:- They hide the IP address of the originator and in the

case of an anonymous or pseudonymous mail, the source email address.

04/21/23 21

DATA PROTECTION OFFICE (pmo) Anonymous or pseudonymous payment:-

The user uses a prepaid card that is identified by a unique number.

Information Security Tools:- Such tools are important for data protection but

their primary goal is usually more modest:-that of preventing unauthorised access to systems, files or communications over a network, encryption for example.

04/21/23 22

DATA PROTECTION OFFICE (pmo) Future challenges for PETs:-

There is no doubt that PETs can provide a way of harnessing new technological advances to protect privacy.

A cultural barrier to data protection needs to be abridged in order for a change in attitude to occur. It is indeed human nature to be complacent about entrenched beliefs but we also have to keep pace with evolving technologies. Technology is here to serve us and not the other way round. Digital assistance is good but digital slavery is dangerous.

04/21/23 23

DATA PROTECTION OFFICE (pmo) Privacy is broader than information security, it’s about

rights of individuals entwined with other such concepts as data security and risk management.

An organisations’s executive management needs to issue clear privacy-friendly practices as enunciated in the first set of guidelines from this office and incorporate these practices in risk management and management processes.

Security risk assessments rarely take into account the needs of the individual, for instance, ISO 27001, do not take into account risks form an individual’s perspective, nor do they prescribe privacy controls.

04/21/23 24

DATA PROTECTION OFFICE (pmo) Vendors are also encouraged to build in privacy

functions into their systems, for e.g, on off-the- shelf software and to promote them as selling points.

Assessments have to be carried out at regular stages depending on the size and nature of the project as systems are routinely assigned new tasks, often referred to as function creep.

To be able to respond efficiently to the right to access personal information by individuals under section 41 of the DPA, systems have to be designed to include functions to identify the presence of personal information and the individual. A lack of automated access to personal data functionality can considerably increase the cost of servicing such requests.

04/21/23 25

DATA PROTECTION OFFICE (pmo) Balancing data sharing with privacy needs:-

Data sharing may lead to privacy breaches. The need to share personal data within or outside organisations is often compelling.

Internal practicalities, promotion of commercial marketing of personal data are predominant reasons for sharing personal data. Yet data losses occur when copies are transferred from privacy-friendly systems to systems having no privacy controls or between systems using unencrypted physical media such as CDs or memory sticks .

04/21/23 26

DATA PROTECTION OFFICE (pmo) True it is that PETs have yet to find their way in “real

world’ environment s as organisations and vendors are quite worried of committing to specific PETs in case these become obsolete as technologies develop. Web 2.0, cloud computing and service oriented architectures developments,most likely, add further complexity to this problem.

But there is one thing to be borne in mind! Surely as we adapt and move to new technologies, similarly as we adapt to new conjunctures in life, we must be able to renovate these PETs in our own particular context, whenever the need will arise, with the assistance of this office.

04/21/23 27

DATA PROTECTION OFFICE (pmo)

04/21/23 28